To understand how businesses are tackling the challenge of supply chain cyber security, NCC Group has conducted a global study exploring the key concerns, pressures, and priorities shaping their approach.

The State of Supply Chain Security report surveyed over 1,000 professionals responsible for cyber security in organisations with over 500 employees across the UK, Australia, Germany, the Netherlands, Singapore, Spain, the Philippines, and the US.

Our findings offer a compelling snapshot of how decision-makers around the world have perceived and responded to evolving supply chain risks. The research highlights that the rising tide of risk is crashing into supply chains, with 68% of organisations expecting attacks to become even more severe.

At the same time, emerging technologies like artificial intelligence are reshaping how we operate, unlocking new efficiencies, but also introducing new vulnerabilities.

The findings come as more stringent cyber security regulation has been introduced globally to boost resilience strategies. This includes the UK’s Cyber Security Resilience Bill, as well as the EU’s NIS2 Directive and the Digital Operational Resilience Act (DORA). 

Increased regulation is welcomed by businesses, with 90% of respondents confident that cyber security standards and policies reduce the risk of supply chain attacks. Yet the introduction of more legal frameworks could make managing supply chains more complex for global businesses. 

Mike Maddison, our CEO, says: “Supply chain security is an iceberg. What’s visible above the surface is only a fraction of the risk. Beneath lies a vast, often unseen network of dependencies and exposures.”

The research identifies three critical risk areas that demand attention:

The study shows 94% of respondents are confident in their ability to respond to a supply chain attack; 92% trust their suppliers to follow best practices. Yet only 66% regularly assess supplier risk. This disconnect suggests some businesses may be underestimating the scale of the threat. Are organisations sleepwalking into a resilience crisis?

While 57% of CEOs believe they have strong visibility into supply chain security, only 30% of directors and 18% of team supervisors agree. Responsibility is often pushed to cyber security teams, with 62% saying it’s their job alone. But resilience can’t live in a silo. It requires shared ownership across the business.

AI is now the top emerging risk in supply chain security. 59% of respondents expect it to drive the greatest increase in threat over the next year. Yet many organisations lack visibility into how AI is being used, both by employees and by attackers. From data poisoning to model manipulation, the risks are real and rising.

Click here to read NCC Group’s report.

For more information on fraud and how to protect your business from cyber attacks, visit your bank’s Security Centre.